New vulnerabilities in digital smart pens and IV infusion pumps that threatens the confidentiality, integrity, and availability of ePHI have been discovered by Spirent SecurityLabs researcher Saurabh Harit.

The vulnerabilities could be exploited to gain access to sensitive patient information, while the IV infusion pump vulnerability could also be exploited to cause patients harm, with potentially fatal consequences for patients.

Smart pens are used by doctors to write prescriptions for medications, which are then transmitted to pharmacies. While the smart pen manufacturers claim the devices do not store sensitive information, Harit was able to gain access to sensitive information through the devices and view patient names, addresses, phone numbers, clinical information, and even medical records.

Harit was able to reverse engineer the smart pens and view the operating system a monitor connected to the device through a serial interface. Initially, low-privilege access to the operating system of the smart pens was gained, but by using an exploit the researcher was able to elevate privileges to gain administrator access. Once administrative rights were gained, and the encryption was defeated, Harit was able to access the backend servers used by the healthcare organization and view sensitive information on patients of several doctors who used the smart pens. The vendors of the smart pens were notified of the flaws and patches have now been released to correct the vulnerability.

Harit also discovered a so far unpatched vulnerability in an IV infusion pump which could be exploited to administer lethal doses of drugs to patients, potentially on all IV pumps used at a particular hospital. Far from being a complex and expensive hack, it was possible with a device that could be purchased for just $7. That device allowed Harit to interface with the pump, read its configuration data, and the access point to which the device connected.

It was possible to set up a fake access point to connect to the device and collect sensitive data on the patient, including the master drug list and doses of drugs to be administered. Harit claims it would be possible to write malware that could attack all IV infusion pumps used by a hospital.

Fortunately, for the vulnerabilities to be exploited, physical access to the devices would be required.

Harit will not disclose the names of the companies or devices affected, but will present the findings on the vulnerabilities at Black Hat Europe later this week.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.